Hello, I'm experimenting with VMs and firewalld while trying to get comfortable with CentOS 8 and am hitting a bit of a wall, hopefully someone here can point me in the right direction. [What I'd like to do] I have a LAN (192.168.2.0/24) with my CentOS 8 VM host (192.168.2.3). I also have a file server with a samba share at 192.168.2.2. On my VM host, I'm trying to run a Windows VM so I can use a USB device that has Windows only drivers, and then write some files to my samba share. However, I don't trust Windows, so I want to block all network traffic associated with this VM *except* the samba connection to my file server. I'm using libvirt to run this VM, and thought I'd like to have a dedicated libvirt virt network that's "disconnected" in this way; it has no connection ability apart from that which I whitelist. This network is called "libvirt_discon", and it uses libvirt NAT forwarding and DHCP. Its subnet is 192.168.100.0/24. [What I've done] I created a new firewalld zone called "libvirt_discon" and assigned the libvirt network's dev "virbr1" to the zone (this is done via the libvirt network xml). I added dhcp to the list of the zone's services, and can confirm this allows the machine to get an ip address. I set the zone's target to "%%REJECT%%" since I want this to be the default behavior of the zone. Then I tried to whitelist samba with the following rich rule: firewall-cmd --zone=libvirt_discon --add-rich-rule='rule family=ipv4 destination address=192.168.2.2 service name=samba accept' This does not work; I'm testing with a fedora machine on the libvirt-discon network and trying to list the samba shares, my connection is immediately rejected: $ smbclient --user=samba --list=192.168.2.2 do_connect: Connection to 192.168.2.2 failed (Error NT_STATUS_HOST_UNREACHABLE) [Questions] I suspect I'm stumbling because I'm using libvirt NAT instead of a bridged device (which admitedly I don't fully understand). Dumping the nft ruleset, it looks like my zone settings strictly affect the zone's input chain. At some point my packets need to traverse the NAT from virbr1 (zone libvirt_discon) to my eth NIC (zone public), and back again. I'm not sure how this works, could someone shed some light on that? Do I need to enable masquerade on one of the zones here, and if so which one or both? When exactly do I need to enable masquerade? Are these considered FORWARDed packets, and therefore the INPUT chain rules I've actually written with my rich rule not apply? (They demonstrably are not logging..) Thank you very much for your time, hopefully someone can point me in the right direction based on what I'm trying to accomplish.